Red Hat Enterprise Linux (RHEL)

DoS: GStreamer AV1 Parser Desync via gst_plugins_bad
CVE-2026-52718 6.5 - Medium - June 15, 2026

A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.

assertion failure

Signed Int Overflow in GStreamer VMnc Decoder
CVE-2026-52722 7.1 - High - June 15, 2026

A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.

Integer Overflow or Wraparound

Heap Overflow in GStreamer librfb (RFB/VNC Client)
CVE-2026-52720 8.8 - High - June 15, 2026

A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.

Heap-based Buffer Overflow

GStreamer RealMedia demuxer Re-entrancy / Infinite Loop CVE-2026-53704
CVE-2026-53704 7.1 - High - June 15, 2026

A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents.

Out-of-bounds Read

Overflow in GStreamer RM Demuxer: MDPR Chunk Parsing Crash
CVE-2026-53703 7.1 - High - June 15, 2026

A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first checking that the chunk contains enough data. If a malicious file provides an MDPR chunk that is too small to contain a complete audio stream header, the parser reads beyond the end of the buffer. This can cause the application to crash. In some cases, bytes read past the buffer boundary may be incorporated into stream metadata, which could result in limited information disclosure.

Out-of-bounds Read

OOB Read in GStreamer pcapparse Local PCAP Crash/Info Disclosure
CVE-2026-52721 5.3 - Medium - June 15, 2026

Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure.

Out-of-bounds Read

GStreamer gst-plugins-good: WavPack Decoder Integer Overflow Heap Corruption
CVE-2026-53705 7.6 - High - June 15, 2026

A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file.

Integer Overflow or Wraparound

OOB read in GStreamer VA JPEG decoder leads to crash
CVE-2026-52719 7.1 - High - June 15, 2026

An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.

Out-of-bounds Read

Content Injection in libreport ABRT handler via unsanitized journal logs
CVE-2026-54231 5.5 - Medium - June 13, 2026

A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A local user can inject arbitrary content into the journal output by embedding newline characters in syslog messages, controlling the content that root writes to dump directory files.

Injection

Symlink Following in libreport postcreate Scripts Enables Arbitrary File Overwrite
CVE-2026-54230 7 - High - June 13, 2026

A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.

insecure temporary file

Race Condition in abrt-dbus ChownProblemDir Enables Privilege Escalation
CVE-2026-54229 7 - High - June 13, 2026

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running.

Race Condition

Red Hat ABRT D-Bus SetElement TOCTOU
CVE-2026-54228 7.8 - High - June 13, 2026

A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.

TOCTTOU

QEMU virtio-blk OOB Write via Malformed SCSI
CVE-2026-48914 6.7 - Medium - June 12, 2026

A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process.

Heap-based Buffer Overflow

GStreamer H.265 Parser Stack Buffer Overflow via SEI Loop Index
CVE-2026-53702 6.5 - Medium - June 11, 2026

A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption.

Memory Corruption

GStreamer gst-plugins-bad: H.266/VVC PPS parser OOB write
CVE-2026-53701 6.5 - Medium - June 11, 2026

An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bounds, writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. While the initial proof-of-concept demonstrated a 4-byte out-of-bounds write, the code permits larger writes across multiple iterations. A crafted H.266/VVC media file can trigger this vulnerability.

Memory Corruption

389-Ds SASL_IO Integer Overflow: DoS/RCE via Crafted Packet
CVE-2026-11774 7.6 - High - June 11, 2026

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

Integer Overflow or Wraparound

Integer Underflow in MIT krb5 LDAP KDB to Heap OOB Read
CVE-2026-11850 5 - Medium - June 11, 2026

An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.

Integer underflow

Command Injection via Unescaped DHCP Options in dracut Legacy Path
CVE-2026-6893 8.8 - High - June 10, 2026

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.

Shell injection

389 DS Heap Buffer Overflow via OC_SUP Field Length Omission
CVE-2026-11884 6.5 - Medium - June 10, 2026

A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, can trigger a server crash by creating objectclasses with long SUP values. This is an incomplete fix variant of CVE-2025-14905.

Heap-based Buffer Overflow

ansible authorized_key LPE via untrusted symlink
CVE-2026-11837 7.3 - High - June 10, 2026

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.

insecure temporary file

389 DS Heap Buffer Overflow in auditlog.c
CVE-2026-11792 3.3 - Low - June 09, 2026

A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.

Heap-based Buffer Overflow

389 Directory Server stack buffer overflow in pw.c
CVE-2026-11793 4.9 - Medium - June 09, 2026

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.

Stack Overflow

389 DS PBKDF2 SHA256 Iteration Unbounded, CPU DoS Exploit
CVE-2026-11790 4.9 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

Resource Exhaustion

389 DS SMD5 Plugin UInt Underflow Buffer Over-read Crashes LDAP
CVE-2026-11789 4.9 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.

Integer underflow

389 Directory Server Plugin Crash via Deref Control
CVE-2026-11788 5.9 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.

NULL Pointer Dereference

389 Directory Server Heap Overread in LDAP Filter Parsing
CVE-2026-11787 5 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.

Buffer Over-read

389 DS Type Confusion Leak LDAP Auth Response
CVE-2026-11785 4.3 - Medium - June 09, 2026

A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.

Object Type Confusion

389 DS LDIF Parser OOB Read
CVE-2026-11786 1.9 - Low - June 09, 2026

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.

Out-of-bounds Read

389 DS CS-Persistent Search Overuse: Unbounded Memory DoS
CVE-2026-11611 6.5 - Medium - June 08, 2026

A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.

Resource Exhaustion

Samba WINS NULL Deref via UDP (CVE-2026-3238)
CVE-2026-3238 7.5 - High - June 08, 2026

A flaw was found in Sambas WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

NULL Pointer Dereference

X.Org X Server AAF in CreateSaverWindow() (Xwayland)
CVE-2026-50263 5.5 - Medium - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.

Dangling pointer

X.Org XServer Xwayland OOB Read __glXDisp_ChangeDrawableAttributes
CVE-2026-50262 5.5 - Medium - June 05, 2026

An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.

Out-of-bounds Read

X.Org X Server & Xwayland OOB Heap Write via DRI2 Buffers
CVE-2026-50264 7.8 - High - June 05, 2026

An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Memory Corruption

UAF in X.Org X Server XWayland SyncChangeCounter()
CVE-2026-50261 7.8 - High - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Dangling pointer

Use-after-free in X.Org X Server via SyncCounters
CVE-2026-50260 7.8 - High - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Dangling pointer

Stack Buffer Overflow in X.Org X Server (_XkbSetMapChecks)
CVE-2026-50259 7.8 - High - June 05, 2026

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Stack Overflow

CVE-2026-50258: Stack BOF in X.Org X Server & Xwayland
CVE-2026-50258 7.8 - High - June 05, 2026

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Stack Overflow

X.Org X Server UAF via miSyncDestroyFence()
CVE-2026-50257 7.8 - High - June 05, 2026

A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Dangling pointer

X.Org X Server: Stack Buffer Overflow via Font Alias Length Attack (CVE-2026-50256)
CVE-2026-50256 7.8 - High - June 05, 2026

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Stack Overflow

Root Privilege Elevation via libinput udev Property Injection
CVE-2026-50265 - June 05, 2026

Local Priv Escalation via Malformed MUD URLs in NetworkManager's dhclient
CVE-2026-10805 6.7 - Medium - June 04, 2026

A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.

Shell injection

GnuTLS PKCS#7 Padding Timing SideChannel Info Disclosure
CVE-2026-5419 3.7 - Low - June 01, 2026

A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.

Observable Timing Discrepancy

rrdtool rrdcached Buffer Overflow via Oversized CREATE
CVE-2026-43958 7.8 - High - June 01, 2026

A flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data.

Stack Overflow

Poppler Splash integer overflow arbitrary code exec
CVE-2026-10118 7.8 - High - June 01, 2026

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

Integer Overflow or Wraparound

libsoup Signed-to-Unsigned Conversion Out-of-Bounds in HTTP Stream RCE
CVE-2026-6324 4.8 - Medium - May 29, 2026

A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access.

HTTP Request Smuggling

Glib-Networking GnuTLS Cert Verification Infinite Loop DoS
CVE-2026-10028 4.3 - Medium - May 28, 2026

A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker.

Infinite Loop

Samba Remote Cmd Exec via Unsanitized %u in check password script
CVE-2026-4408 9 - Critical - May 28, 2026

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

Shell injection

CVE-2026-44604: rpmuncompress Command Injection W/O Sanitization
CVE-2026-44604 7 - High - May 28, 2026

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

Shell injection

Samba NTFS Reparse Points Access Control Bypass via SMB
CVE-2026-1933 7.1 - High - May 27, 2026

A flaw was found in Sambas handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.

Authorization

Sambas vfs_worm Rename Bypass Enables Overwrite of WORM Files
CVE-2026-2340 6.5 - Medium - May 27, 2026

A flaw was found in Sambas vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

Improper Handling of Insufficient Permissions or Privileges